1. Field of the Invention
The present invention relates to a network flow/stream simulation method, and more particularly, to a network flow/stream simulation method for arranging packets in order and for processing retransmitted packets to save utilized memory.
2. Description of the Prior Art
Growth of the Internet has helped people in many aspects. However, conventional computer apparatuses and private personal data are vulnerable in various networks, and therefore, there are various solutions for improving defense of said conventional computer apparatuses and private personal data. For example, antivirus software and software firewalls, or firewall technologies and anti-hacking functions built in hardware, are conventional solutions for defense. For network hardware apparatuses, a firewall technology takes packets in units, and analyzes contents of the packets. However, for anti-hacking technologies, abilities of both recombining packets and detecting consecutive packets are required besides firewall technologies. It indicates the fact that intrusive and malicious programs, which are designed by hackers, may be split into pieces during transmission, and moreover, the pieces may be out of sequence or missing during said transmission by following network structures and related environments. Therefore, conventional intrusion detection technologies must acquire abilities of recognizing missing or out of sequence patterns, and after packets are arranged in order with said conventional intrusion detection technologies, the packets are transmitted into an analysis engine for achieving an aim of both restoring data from pieces and analyzing data precisely. Moreover, anti-virus walls technologies based on gateways require similar technologies. For relieving missing and out of sequence packets, reliable transmission protocols thus become primary communication protocols in network transmission.
Current intrusion detection technologies applied on reliable transmission protocols are primarily classified into two types. A first type of intrusion detection technologies is based on the aid of sockets and proxies. For example, a technology includes applying routers or proxies as terminals, and restoring original data of packets with the aid of sockets and proxies applying Transmission Control Protocol/Internet Protocol (TCP/IP) is of the first type. A defect of the technology of the first type lies in the fact that a large amount of memory is required for storing packets to relieve missing and out of sequence packets. Moreover, Transmission Control Protocol/Internet Protocol lies on a third layer of the Open Systems Interconnection Model (OSI Model) so that a large amount of time is taken for transmitting data between upper layers and lower layers of the Open Systems Interconnection Model. A second type of intrusion detection technologies primarily utilizes queues for processing packets, and utilizes a huge amount of memory for storing packets to simulate sessions of a network, i.e., simulate possible situations about packets between different terminals. The possible situations are classified into flows between terminals, a status of a sliding window utilized by a terminal, and processing missing and out of sequence packets with packets buffered by routers and proxies, where said missing and out of sequence packets are not transmitted to sockets so that sessions between terminals utilizing Transmission Control Protocol/Internet Protocol are simulated. Both the abovementioned types of intrusion detection technologies requires a lot in both memory and performance, and moreover, the second type technology cannot be utilized for effectively relieving problems caused by retransmission. If retransmitted and out of sequence packets can be effectively and simultaneously relieved, and if an amount of utilized memory is significantly decreased, packet retransmission is not to be ignored easily even under insufficient resources. Besides, a related defensive ability is not reduced, and the efficiency of simulating sessions is not lowered either.
In the prior art, an intrusion detection application called Snort is provided. Snort is utilized for implementing both real-time network flow/stream detection and packet management on Internet Protocol. Snort implements the packet management with both queues and packets, as mentioned before. Besides, Snort may also implement detections of various communication protocols by searching for characteristics of packets to prevent various malicious attacks hidden inside said packets. However, Snort lacks the integrated ability of simulating the abovementioned sessions, and thus cannot be utilized for handling packet retransmission caused by missing packets. Based on the abovementioned reasons, Snort is merely utilized as an intrusion detection system other than an intrusion-prevention system. The same bottlenecks are also met even if in-line Snort is continuously researched.
Moreover, packets processed by an apparatus and then missed result in packet retransmission requests sent by clients of both reception and transmission. However, even if retransmitted packets have been respectively checked by anti-virus software and scan engines, other unexpected defects in security caused by said retransmitted packets also exist while the apparatus handles out of sequence packets.